US2005138425A1PendingUtilityA1

Method of analyzing network attack situation

45
Priority: Dec 18, 2003Filed: Sep 10, 2004Published: Jun 23, 2005
Est. expiryDec 18, 2023(expired)· nominal 20-yr term from priority
H04L 63/1441H04L 63/1408
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Provided is a method for analyzing a network attack situation. The method categorizes network intrusion detection alerts into network attack situations, counts the frequency of same-featured intrusion alert occurrence for each network attack situation using a counting algorithm based on time slots, and analyzes the network attack situation based on the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them. The network attack situation can be correctly detected in real time without relatively being influenced by the size of the network or amount of the occurrence of the intrusion detection alerts.

Claims

exact text as granted — not AI-modified
1 . A method for analyzing network attack situations comprising: 
 categorizing network intrusion detection alerts into predetermined attack situations;    counting the frequency of same-featured intrusion alert occurrence for each network attack situation using a counting algorithm which is time slot based; and    analyzing network attack situations based on the the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them.    
   
   
       2 . The method of  claim 1 , wherein categorizing includes categorizing the network intrusion detection alerts based on attack name, source IP address, target IP address, and target service information into each network attack situation.  
   
   
       3 . The method of  claim 1 , wherein counting comprises: 
 preparing a number of buckets equal to the dividing the analysis time interval by time slot units;    sequentially recording the frequency of occurrence of the network attack situations occurring at each time slot in the bucket; and    summing the frequency of occurrence recorded in the bucket.    
   
   
       4 . The method of  claim 3 , wherein the recording includes recording the frequency of occurrence from the start of the bucket after recording the frequency of occurrence at the end of the buckets which are arranged consecutively.  
   
   
       5 . The method of  claim 1 , wherein analyzing includes analyzing and categorizing the network attack situations into the three stages of warning, declaration, and confirmation.  
   
   
       6 . A computer readable recording medium in which a program for operating a method of analyzing network attack situations in a computer is recorded, the method comprising: 
 categorizing network intrusion detection alerts into predetermined network attack situations;    counting a frequency of same-featured intrusion detection alert occurrence for each network attack situation using a counting algorithm based on time slots; and    analyzing network attack situations based on the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.